When the DORA auditors arrive, everyone was in the resistance

When the DORA auditors arrive, everyone was in the resistance

The illusion of compliance in DORA audits

When DORA auditors or supervisors arrive, a familiar pattern emerges across many financial institutions.

Information security officers, compliance teams and risk managers insist they “raised concerns early”, “flagged the risks” or “warned management”. Yet when quarterly reports, annual risk assessments, board packs and escalation logs are reviewed, those warnings are nowhere to be found.

This disconnect is not usually driven by bad faith. It is far more subtle – and far more dangerous.

It represents the illusion of compliance: a collective reconstruction of history under pressure, where informal concerns are retrospectively reframed as formal risk ownership, and silence is reinterpreted as resistance.

DORA audits expose this illusion with particular force.

The post-audit resistance narrative

The phenomenon is strikingly similar to well-known historical patterns.

After periods of systemic failure, societies often experience a surge of retrospective “resistance narratives”: everyone knew it was wrong, everyone tried to stop it

Even though contemporary records show broad compliance or silence. The parallel in DORA audits is uncomfortable but accurate.

Once supervisory audit begins, many internal actors reposition themselves as having been “on the right side”, despite:

  • clean quarterly risk reports,
  • unqualified annual assessments,
  • absence of escalations,
  • and repeated sign-offs that controls were “adequate”.

The audit does not create the resistance; it creates the need to be seen as having resisted.

Why this happens: psychological and organisational drivers

Psychological self-protection

When auditors arrive, accountability crystallises. People instinctively seek to protect their professional identity.

Admitting “I did not escalate” feels like admitting negligence.
Saying “I raised concerns informally” feels safer.

This is not dishonesty in the classic sense. It is retrospective rationalisation under threat.

The comfort of informality

Many organisations tolerate – even encourage – informal dissent:

  • hallway conversations,
  • side remarks in meetings,
  • vague comments like “this might be challenging”.

These signals feel like risk management, but they create no institutional memory. When pressure comes, nothing can be proven.

Cultural penalisation of formal escalation

In many institutions, formal escalation is implicitly discouraged:

  • it is seen as disruptive,
  • it creates “noise”,
  • it slows programmes down,
  • it risks being labelled as “not pragmatic”.

As a result, risk professionals learn to self-censor – while still believing they have “done their job”.

Why DORA makes this behaviour unsustainable

DORA changes the rules of the game.

Supervisors do not assess:

  • Whether someone felt uncomfortable.
  • Whether concerns were mentioned.
  • Whether issues were known.

They assess:

  • What was documented?
  • When it was escalated?
  • To whom?
  • With what consequence?

Under DORA:

  • Undocumented dissent does not exist.
  • Informal warnings have no regulatory value.
  • Silence is interpreted as assurance.

This is where the illusion collapses.

The operational resilience consequences

The cost of compliance theatre is not reputational, it is structural.

False sense of control

If reports consistently state “adequate”, organisations believe they are resilient — until stress testing, incidents or audits prove otherwise.

Fragile decision-making

Management decisions are only as good as the risk signals they receive.
If dissent never reaches formal channels, decisions are made on incomplete information.

Audit shock and overreaction

When auditors finally surface the gaps, institutions swing from complacency to panic:

  • rushed remediation,
  • excessive controls,
  • blame-shifting.

None of this builds resilience.

From compliance theatre to authentic accountability

The solution is not more reporting. It is changing what is rewarded, recorded and remembered.

Make documented dissent a formal control

Institutions should treat documented disagreement as a control outcome, not a failure.

Examples:

  • mandatory “residual concern” sections in risk reports,
  • explicit recording of second-line objections,
  • tracking of unresolved risk positions over time.

If dissent is not visible, it is not real.

Separate “escalation” from “disloyalty”

Boards and senior management must explicitly state:

“Formal escalation is a professional obligation, not a challenge to authority.”

Without this signal, no cultural change will occur.

Create audit-safe escalation paths

Risk and compliance functions need:

  • clear thresholds,
  • defined recipients,
  • protected channels.

Escalation must be boring, routine and safe – not dramatic.

Reward early discomfort, not late heroics

Post-audit narratives of resistance should be treated with scepticism.

What matters is:

  • what was said before the audit,
  • what was written before the incident,
  • what was escalated before the deadline.

The core lesson of DORA

DORA does not primarily test technology. It tests institutional honesty.

It asks:

  • Were risks truly owned?
  • Were concerns truly escalated?
  • Or was compliance performed for appearances?

In environments where everyone becomes a resistor only after the auditors arrive, resilience is an illusion.

True operational resilience begins much earlier – at the moment when someone chooses to put an uncomfortable truth into writing, knowing it will be read, challenged and remembered.

That is not compliance theatre.
That is accountability.

Leave a Reply

Your email address will not be published. Required fields are marked *